Fortinet black logo

Administration Guide

Creating ClearPass connector

Creating ClearPass connector

ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager. ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

You can create multiple ClearPass connectors per ADOM.

Requirements:

  • FortiManager version 5.6 or later ADOM

    This example applies to version 6.0 or later ADOMs.

  • FortiGate is managed by FortiManager and configured to work with ClearPass
  • JSON API is exposed, allowing ClearPass to call it
To configure ClearPass:
  1. Log in to ClearPass Policy Manager..
  2. Create roles:
    1. Go to Configuration > Identity > Roles.
    2. Click Add.
    3. For the name, enter mytest1.

      FortiManager will get this group as an Active Directory group.

      The Description field is optional.

    4. Click Save.
  3. Create local users:
    1. Go to Configuration > Identity > Local Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to test1.
      • Set Name to testUser1.
      • Set Password to qa1234.
      • Select Enable.
      • Set Role to mytest1.

    4. Click Add.
  4. Add an Ubuntu simulator:
    1. Go to Configuration > Network > Devices.
    2. Click Add.
    3. Configure the following settings:
      • Set Name to Ubuntu_test.
      • Set IP or Subnet Address to 10.3.113.61.
      • Set RADIUS Shared Secret to qa1234.
      • Set Vendor Name to Unix.

    4. Click Add.
  5. Configure FortiManager to get packets from ClearPass:
    1. Add FortiManager as the Endpoint Context Server:
      1. Go to Administration > External Servers > Endpoint Context Servers.
      2. Click Add.
      3. Configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Authentication Method to Basic.
        • Set Username to admin (the administrator on FortiManager).
    2. Create Endpoint Context Server Login action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-login.
        • Set Description to Inform FortiManager that the user logged on.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/login

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.

      5. On the Content tab, configure the following:

        • Set Content-Type to JSON.
        • Set Content to:
          {
          																																																																																	   
          																		 
          																																																										  
          																   
          																																																																																																																																																
          																   
          																																																																																																									 
              "adom": "root",
              "connector": "test", <--------the connector name created on FortiManager
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }

      6. Click Save.
    3. Create Endpoint Context Server Logout action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-logout.
        • Set Description to Inform FortiManager that the user logged out.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/logout

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.
      5. On the Content tab, configure the following:
        • Set Content-Type to JSON.
        • Set Content to:
          {
          																																																																																				 
          																   
          																																																																																																																																															 
          																   
          																																																	
          	 
          			
              "adom": "root",
              "connector": "test",
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          							
          																																																										
             
          																																																																																	   
          }
      6. Click Save.
    4. Check that the actions are added to the server:
      1. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions.
      2. Locate the two just created actions.

  6. Create a profile:
    1. Go to Configuration > Enforcement > Profiles.
    2. Click Add.
    3. On the Profile tab, configure the following:
      • Set Template to Session Notification Management.
      • Set Name to FortiManager Login and Logout.
      • Set Description to FortiManager - Initial SSO integration testing.
      • Set Type to Post_Authentication.

    4. On the Attributes tab, configure the following attributes:

      Type

      Name

      Value

      Session-Notify

      Server Type

      Generic HTTP

      Session-Notify

      Login Action

      Frank-FMG-login

      Session-Notify

      Logout Action

      Frank-FMG-logout

      Session-Notify

      Server IP

      10.3.113.57

    5. Click Save.
  7. Create a policy:
    1. Go to Configuration > Enforcement > Policies.
    2. Click Add.
    3. On the Enforcement tab, configure the following:
      • Set Name to FortiManager testing.
      • Set Enforcement Type to RADIUS.
      • Set Default Profile to Allow Access Profile.

    4. On the Rules tab, configure the following:
      • Set Type to Date.
      • Set Name to Date-Time.
      • Set Operation to EXISTS.
      • Set Profile Names to [Post Authentication][FortiManager - Login and Logout].

    5. Click Save.
  8. Create services:
    1. Go to Configuration > Services.
    2. Click Add.
    3. On the Service tab, configure the following:
      • Set Name to API Test Access OAuth2 API User Access.
      • Set Description to Authentication service for API access using OAuth2.
      • Set Type to Aruba Application Authentication.
      • Set Status to Enabled.

    4. On the Authentication tab, set Authentication Sources to:

      [Local User Repository] [Local SQL DB]

      [Admin User Repository] [Local SQL DB]

    5. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to [Guest Operator Logins].
      • Set Description to Enforcement policy controlling access to Guest application.
      • Set Default Profile to [Deny Application Access Profile].
      • Set Rules Evaluation Algorithm to first-applicable.
      • Create the following two conditions:

        Conditions

        Enforcement Profiles

        1.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Local User Repository])

        [Operator Login - Local Users]

        2.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Admin User Repository])

        [Operator Login - Admin Users]

    6. Click Save.
    7. Click Add again to add another service.
    8. On the Service tab, configure the following:
      • Set Name to AuthN user for Fortimanager Testing.
      • Set Description to Authorization service for AirGroup device access.
      • Set Type to RADIUS Enforcement ( Generic ).
      • Set Status to Enabled.
      • Create the following service rule:

        Type

        Name

        Operator

        Value

        Radius:IEFT

        NAS-IP-Address

        EQUALS

        10.0.0.1

    9. On the Authentication tab, configure the following:
      • Set Authentication Methods to [PAP].
      • Set Authentication Sources to [Local User Repository] [Local SQL DB].
    10. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to fortimanager testing .
      • Set Default Profile to [AllowAccess Profile].
      • Set Rules Evaluation Algorithm to evaluate-all.
      • Create the following condition:

        Conditions

        Enforcement Profiles

        1.

        (GuestUser:Company Name NOT_EQUALS ABCDE)

        [FortiManager-login and Logout]

    11. Click Save.
  9. Configure the administrator the FortiManager fabric connector uses to access CPPM APIs:
    1. Go to Administration > Admin Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to admin.
      • Set Name to admin.
      • Set Password to qa987654.
      • In Verify Password enter the password again.
      • Select Enable User.
      • Set Privilege Level to API Administrator.
    4. Click Save.
  10. Create an API Client:
    1. Log in to ClearPass Guest.

    2. Go to Administration > API Services > API Clients.
    3. Click Create API Client.
    4. Configure the following:
      • Set Client ID to test.
      • Set Desciption to FMG login from it.
      • Select Enable API client.
      • Set Operator Profile to Super Administrator.
      • Set Grand Type to Username and password credentials (grant_type=password).
      • In Public Client select This client is public (trusted) client.
      • In Refresh Token select Allow the use of refresh tokens for this client.

    5. Click Save.
To configure FortiManager:
  1. Log in to FortiManager.
  2. Run the following CLI command:
    config system admin user
        edit  admin
            set rpc-permit read-write
        next
    end
  3. Go to Fabric View > Fabric Connectors.
  4. Click Create New.

  5. Select ClearPass, then click Next.
  6. Configure the following:
    • Set Name to test. This name must be same as the one used in the ClearPass actions.
    • Set Status to On.
    • Set Server to 10.3.113.102 (the ClearPass IP address).
    • Set Client to test (the previously created ClearPass API client).
    • Set User to admin (the ClearPass login name).
    • Set Password to qa1234 (the ClearPass login password).

  7. Click OK.
  8. Get the role and user from ClearPass:
    1. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity.
    2. Edit the ClearPass connector and click Apply & Refresh.

      FortiManager retrieves the roles and users from ClearPass. Users with green icons are currently logged in.

  9. Install the address group from ClearPass to FortiGate:
    1. On the FortiManager, go to Policy & Objects > Object Configurations > User & Devices > User Groups.
    2. Click Create New.
    3. Configure the following:
      • Set Group Name to cpp1.
      • Set Type to FSSO/SSO Connectors.
      • Select Members as ClearPass adgrp.

  10. Use the new user group in a policy to install it to FortiGate.
  11. To check that the group was installed on the FortiGate:
    1. On the FortiGate, go to User & Device > User Groups. The group will be in the user group list.
    2. Edit the group to view its members.
    3. In the CLI console, enter the following:
      # diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.210.15.185  User: user1  Groups: cp_test_Finance  Workstation:  MemberOf: cpp1
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----

Creating ClearPass connector

ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager. ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

You can create multiple ClearPass connectors per ADOM.

Requirements:

  • FortiManager version 5.6 or later ADOM

    This example applies to version 6.0 or later ADOMs.

  • FortiGate is managed by FortiManager and configured to work with ClearPass
  • JSON API is exposed, allowing ClearPass to call it
To configure ClearPass:
  1. Log in to ClearPass Policy Manager..
  2. Create roles:
    1. Go to Configuration > Identity > Roles.
    2. Click Add.
    3. For the name, enter mytest1.

      FortiManager will get this group as an Active Directory group.

      The Description field is optional.

    4. Click Save.
  3. Create local users:
    1. Go to Configuration > Identity > Local Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to test1.
      • Set Name to testUser1.
      • Set Password to qa1234.
      • Select Enable.
      • Set Role to mytest1.

    4. Click Add.
  4. Add an Ubuntu simulator:
    1. Go to Configuration > Network > Devices.
    2. Click Add.
    3. Configure the following settings:
      • Set Name to Ubuntu_test.
      • Set IP or Subnet Address to 10.3.113.61.
      • Set RADIUS Shared Secret to qa1234.
      • Set Vendor Name to Unix.

    4. Click Add.
  5. Configure FortiManager to get packets from ClearPass:
    1. Add FortiManager as the Endpoint Context Server:
      1. Go to Administration > External Servers > Endpoint Context Servers.
      2. Click Add.
      3. Configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Authentication Method to Basic.
        • Set Username to admin (the administrator on FortiManager).
    2. Create Endpoint Context Server Login action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-login.
        • Set Description to Inform FortiManager that the user logged on.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/login

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.

      5. On the Content tab, configure the following:

        • Set Content-Type to JSON.
        • Set Content to:
          {
          																																																																																	   
          																		 
          																																																										  
          																   
          																																																																																																																																																
          																   
          																																																																																																									 
              "adom": "root",
              "connector": "test", <--------the connector name created on FortiManager
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }

      6. Click Save.
    3. Create Endpoint Context Server Logout action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-logout.
        • Set Description to Inform FortiManager that the user logged out.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/logout

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.
      5. On the Content tab, configure the following:
        • Set Content-Type to JSON.
        • Set Content to:
          {
          																																																																																				 
          																   
          																																																																																																																																															 
          																   
          																																																	
          	 
          			
              "adom": "root",
              "connector": "test",
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          							
          																																																										
             
          																																																																																	   
          }
      6. Click Save.
    4. Check that the actions are added to the server:
      1. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions.
      2. Locate the two just created actions.

  6. Create a profile:
    1. Go to Configuration > Enforcement > Profiles.
    2. Click Add.
    3. On the Profile tab, configure the following:
      • Set Template to Session Notification Management.
      • Set Name to FortiManager Login and Logout.
      • Set Description to FortiManager - Initial SSO integration testing.
      • Set Type to Post_Authentication.

    4. On the Attributes tab, configure the following attributes:

      Type

      Name

      Value

      Session-Notify

      Server Type

      Generic HTTP

      Session-Notify

      Login Action

      Frank-FMG-login

      Session-Notify

      Logout Action

      Frank-FMG-logout

      Session-Notify

      Server IP

      10.3.113.57

    5. Click Save.
  7. Create a policy:
    1. Go to Configuration > Enforcement > Policies.
    2. Click Add.
    3. On the Enforcement tab, configure the following:
      • Set Name to FortiManager testing.
      • Set Enforcement Type to RADIUS.
      • Set Default Profile to Allow Access Profile.

    4. On the Rules tab, configure the following:
      • Set Type to Date.
      • Set Name to Date-Time.
      • Set Operation to EXISTS.
      • Set Profile Names to [Post Authentication][FortiManager - Login and Logout].

    5. Click Save.
  8. Create services:
    1. Go to Configuration > Services.
    2. Click Add.
    3. On the Service tab, configure the following:
      • Set Name to API Test Access OAuth2 API User Access.
      • Set Description to Authentication service for API access using OAuth2.
      • Set Type to Aruba Application Authentication.
      • Set Status to Enabled.

    4. On the Authentication tab, set Authentication Sources to:

      [Local User Repository] [Local SQL DB]

      [Admin User Repository] [Local SQL DB]

    5. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to [Guest Operator Logins].
      • Set Description to Enforcement policy controlling access to Guest application.
      • Set Default Profile to [Deny Application Access Profile].
      • Set Rules Evaluation Algorithm to first-applicable.
      • Create the following two conditions:

        Conditions

        Enforcement Profiles

        1.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Local User Repository])

        [Operator Login - Local Users]

        2.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Admin User Repository])

        [Operator Login - Admin Users]

    6. Click Save.
    7. Click Add again to add another service.
    8. On the Service tab, configure the following:
      • Set Name to AuthN user for Fortimanager Testing.
      • Set Description to Authorization service for AirGroup device access.
      • Set Type to RADIUS Enforcement ( Generic ).
      • Set Status to Enabled.
      • Create the following service rule:

        Type

        Name

        Operator

        Value

        Radius:IEFT

        NAS-IP-Address

        EQUALS

        10.0.0.1

    9. On the Authentication tab, configure the following:
      • Set Authentication Methods to [PAP].
      • Set Authentication Sources to [Local User Repository] [Local SQL DB].
    10. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to fortimanager testing .
      • Set Default Profile to [AllowAccess Profile].
      • Set Rules Evaluation Algorithm to evaluate-all.
      • Create the following condition:

        Conditions

        Enforcement Profiles

        1.

        (GuestUser:Company Name NOT_EQUALS ABCDE)

        [FortiManager-login and Logout]

    11. Click Save.
  9. Configure the administrator the FortiManager fabric connector uses to access CPPM APIs:
    1. Go to Administration > Admin Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to admin.
      • Set Name to admin.
      • Set Password to qa987654.
      • In Verify Password enter the password again.
      • Select Enable User.
      • Set Privilege Level to API Administrator.
    4. Click Save.
  10. Create an API Client:
    1. Log in to ClearPass Guest.

    2. Go to Administration > API Services > API Clients.
    3. Click Create API Client.
    4. Configure the following:
      • Set Client ID to test.
      • Set Desciption to FMG login from it.
      • Select Enable API client.
      • Set Operator Profile to Super Administrator.
      • Set Grand Type to Username and password credentials (grant_type=password).
      • In Public Client select This client is public (trusted) client.
      • In Refresh Token select Allow the use of refresh tokens for this client.

    5. Click Save.
To configure FortiManager:
  1. Log in to FortiManager.
  2. Run the following CLI command:
    config system admin user
        edit  admin
            set rpc-permit read-write
        next
    end
  3. Go to Fabric View > Fabric Connectors.
  4. Click Create New.

  5. Select ClearPass, then click Next.
  6. Configure the following:
    • Set Name to test. This name must be same as the one used in the ClearPass actions.
    • Set Status to On.
    • Set Server to 10.3.113.102 (the ClearPass IP address).
    • Set Client to test (the previously created ClearPass API client).
    • Set User to admin (the ClearPass login name).
    • Set Password to qa1234 (the ClearPass login password).

  7. Click OK.
  8. Get the role and user from ClearPass:
    1. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity.
    2. Edit the ClearPass connector and click Apply & Refresh.

      FortiManager retrieves the roles and users from ClearPass. Users with green icons are currently logged in.

  9. Install the address group from ClearPass to FortiGate:
    1. On the FortiManager, go to Policy & Objects > Object Configurations > User & Devices > User Groups.
    2. Click Create New.
    3. Configure the following:
      • Set Group Name to cpp1.
      • Set Type to FSSO/SSO Connectors.
      • Select Members as ClearPass adgrp.

  10. Use the new user group in a policy to install it to FortiGate.
  11. To check that the group was installed on the FortiGate:
    1. On the FortiGate, go to User & Device > User Groups. The group will be in the user group list.
    2. Edit the group to view its members.
    3. In the CLI console, enter the following:
      # diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.210.15.185  User: user1  Groups: cp_test_Finance  Workstation:  MemberOf: cpp1
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----